From 2200ff4378efc8172850b2f07ec05f1984f049c1 Mon Sep 17 00:00:00 2001
From: Slavek Kabrda <bkabrda@redhat.com>
Date: Aug 28 2018 09:21:24 +0000
Subject: Fix force logout button by making it form submit to be able to send post request


---

diff --git a/pagure/templates/user_settings.html b/pagure/templates/user_settings.html
index f5a6ae1..023ad3f 100644
--- a/pagure/templates/user_settings.html
+++ b/pagure/templates/user_settings.html
@@ -271,9 +271,11 @@
                       <p>
                           Forcefully log out from every current open session.
                       </p>
-                      <a href="{{ url_for('ui_ns.force_logout') }}" method="post" class="btn btn-outline-danger">
-                          Log out all currently active sessions
-                      </a>
+                      <form action="{{ url_for('ui_ns.force_logout') }}" method="post">
+                        <input type="submit" class="btn btn-outline-danger"
+                         value="Log out all currently active sessions">
+                        {{ form.csrf_token }}
+                      </form>
                   </div>
                 </div>
               </div>
diff --git a/pagure/ui/app.py b/pagure/ui/app.py
index c4f3425..81a0a70 100644
--- a/pagure/ui/app.py
+++ b/pagure/ui/app.py
@@ -1448,16 +1448,18 @@ def force_logout():
     """ Set refuse_sessions_before, logging the user out everywhere
     """
     if admin_session_timedout():
-        if flask.request.method == "POST":
-            flask.flash("Action canceled, try it again", "error")
+        flask.flash("Action canceled, try it again", "error")
         return flask.redirect(
             flask.url_for("auth_login", next=flask.request.url)
         )
 
-    # Ensure the user is in the DB at least
-    user = _get_user(username=flask.g.fas_user.username)
+    # we just need an empty form here to validate that csrf token is present
+    form = pagure.forms.PagureForm()
+    if form.validate_on_submit():
+        # Ensure the user is in the DB at least
+        user = _get_user(username=flask.g.fas_user.username)
 
-    user.refuse_sessions_before = datetime.datetime.utcnow()
-    flask.g.session.commit()
-    flask.flash("All active sessions logged out")
+        user.refuse_sessions_before = datetime.datetime.utcnow()
+        flask.g.session.commit()
+        flask.flash("All active sessions logged out")
     return flask.redirect(flask.url_for("ui_ns.user_settings"))
diff --git a/tests/test_pagure_flask_ui_login.py b/tests/test_pagure_flask_ui_login.py
index 6a95f07..10ea36d 100644
--- a/tests/test_pagure_flask_ui_login.py
+++ b/tests/test_pagure_flask_ui_login.py
@@ -909,7 +909,8 @@ class PagureFlaskLogintests(tests.SimplePagureTest):
             self.assertEqual(output.status_code, 200)
 
             # Now logout everywhere
-            output = self.app.post('/settings/forcelogout/')
+            data = {'csrf_token': self.get_csrf()}
+            output = self.app.post('/settings/forcelogout/', data=data)
             self.assertEqual(output.status_code, 302)
             self.assertEqual(output.headers['Location'],
                              'http://localhost/settings')